Article for Medill: HIPAA’s side effects

If you’re away while a loved one gets hurt and an ambulance from the Niles Fire Department whisks him or her to a hospital, don’t call the fire station to find out which hospital â€“ walk in with a picture ID or start calling local hospitals.

Under the Health Insurance Portability and Accountability Act (HIPAA) passed by Congress in 1996, the Niles Fire Department is barred from telling callers where it took a patient, said Lt. Martin Feld, Emergency Medical Services Coordinator at the Niles Fire Department. Relatives or loved ones must come to the fire station and present a picture ID, he said.

HIPAA, a complex set of regulations with multiple deadlines for compliance, was designed to protect the privacy of Americans’ health care information and to streamline the health care and health insurance industry.

Before HIPAA, a phone call was enough for Feld. He would tell the caller which hospital the patient was taken to if the caller could confirm a few personal details about the patient — his or her name, date of birth and address.

The ease of acquiring information in the pre-HIPAA era created problems as well as solutions.

“Back when I first started, almost 20 years ago, a woman would come in and read ambulance reports,” Feld said.

Ambulance reports, filed by paramedics after treating patients, contain confidential medical information about those patients. The Niles fire department, recognizing the sensitivity of the information, disallowed such access in the 80s, Feld said. Today the department keeps ambulance reports in a locked box instead of a tray and only two people in the department have a key to the box, Feld said.

More recent privacy measures undertaken by the fire department include adding another piece of equipment to its ambulances â€“ a “tri-fold.”

A “tri-fold” is a one-page form, folded into a three-column brochure which describes how a patient’s medical information may be used by the fire department. Since the passing of an October 16 HIPAA compliance deadline, paramedics at the Niles Fire Department must try to have patients sign it, Feld said. By signing the form, patients consent to limited, specific releases of their medical information. If a patient is incapacitated, paramedics will try to get a signature from a family member or other legitimate representative of the patient, Feld said, adding that the extra HIPAA paperwork presents an unusual challenge to the fire department.

“I don’t think the intent [of HIPAA] was ever to trickle down to the fire departments,” he said.

But even without a signature, medical information that is related to the patient’s treatment can still be released, so paramedics can tell doctors what happened to a patient, Feld said. When doing so, HIPAA requires medical personnel to use “reasonable safeguards,” according to the U.S. Department of Health and Human Services Web site. The site gives two examples of reasonable: confirming fax numbers with the person to whom information is being sent and lowering one’s voice when discussing a patient’s care while others are within earshot.

HIPAA still allows a paramedic without a signed tri-fold to tell people at the scene of an accident about what happened to a patient if the paramedic believes the person receiving the information â€“ the husband of an incapacitated wife, for example â€“ could be reasonably expected to receive the information, Feld said.

The tri-fold’s addition to the rescue process marks the biggest difference in how paramedics do their work since HIPAA’s inception, Feld said. He cautioned that others fire departments might have different HIPAA compliance methods.

Evanston Fire Department complies with HIPAA by declining to tell callers which hospital a patient was taken to, Chief of Operations Blair Haltom said. However, the fire department will tell callers the names of the two hospitals to which the Evanston Fire Department brings all of its patients and suggest the caller contact them. Before HIPAA the department would name only the pertinent hospital.

“It’s a back door way to do things, but that’s what we have to do,” Haltom said. “All we need to do really is not violate HIPAA.”

Nancy Jaffe, Assistant General Counsel at Rush Shore North Medical Center in Skokie, said the Niles Fire Department’s interpretation of HIPAA was “pretty strict.”

If someone called Rush looking for a patient, the hospital could say whether the patient were admitted, unless the patient told the hospital not to release the information, Jaffe said. The hospital could also tell the caller the patient’s location and general condition: fair, stable or critical. If the patient was incapacitated, Jaffe said hospital employees would use their best judgment regarding the release of patient information.

“What HIPAA did was put a lot of layers of paperwork on top of that [Rush’s privacy policy],” she said.

Each violation of a HIPAA regulation can incur a fine of up to $100 and fines related to one particular code cannot exceed $25,000 per year, according to the Department of Health and Human Services Web site.